Endpoint Protection

I am testing 12.1 on about 20 machines in my enviroment and half of them are returning this "Single Risk Event" and I am nearly 100% sure that this is a false positive. What would be the best way to make 100% sure that it is and stop this event from triggering?

Message from:
    Server name: ServerName
     Server IP: 10.X.X.X
     Administrator Email: jerry.gamblin
    
At least one security risk found:

Risk name: Microsoft® Windows® Operating System
File path: c:\windows\system32\svchost.exe
Event time: Jul 11, 2011 9:40:34 AM
Database insert time: Jul 12, 2011 7:26:25 AM
Source: Heuristic Scan
Description: ""
User: SYSTEM
Computer: Computer Name
IP Address: 10.X.X.XDomain: Default
Server: MOAV
Client Group: My Company\Group
Action taken on risk: Access denied
This alarm was generated at Jul 12, 2011 7:28:56 AM (Reporter host Time).
This alarm was generated by admin, with the following filters:
Domain: %
Group: %
Server: %
Computer: %
Risk name: %
 

You should submit the file to Symantec for analysis ASAP. Lets see if this is truly a FP.

http://www.symantec.com/business/security_response/submitsamples.jsp

You may also submit the file to Threat Expert (owned by Symantec) for analysis.

http://www.threatexpert.com/submit.aspx

Ran it through threatexpert.com and virustotal.com and it came back clean on both sites and a match to the DVD version of Windows 7 on Virustotal.com  

Then you should submit a False Positive report here - https://submit.symantec.com/false_positive/

Best,

Thomas

First of all, exclude this  file from scanning...secondly, upload the  file to https://submit.symantec.com/gold( Depends on your support contract).

Do mention in the upload that you are  looking for a false  positive  inquiry...

Hello,

Since you are carrying Symantec Endpoint Protection 12.1, and you are sure that the File detected is a False Positive, you may have to work on the steps below:

1) Submit the Files to the 

https://submit.symantec.com/false_positive/

and 

https://submit.symantec.com/<your entitlement goes here>

for example: 

https://submit.symantec.com/essential

2) Once, you have submitted the files, you would get an email with a Tracking number in the subject line.

3) Create a Case with the Symantec Technical Support. You would have provide the Tracking number to the Technical Representative.  You can log a case on web portal by:

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

4) Symantec Technical Support Representative would do the needful ASAP.

5) You can also work on the Article as provided below:

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

I did upload the file.

It looks like there is some confusion.

This was detected by a "Heuristic Scan" or "Sonar/TruScan".

The tell-tale sign here is that the detection has cited the OS itself as the risk:

Risk name: Microsoft® Windows® Operating System
File path: c:\windows\system32\svchost.exe

This is likely a legitimate detection based upon the settings you have set for the Sonar component. To confirm whether or not what you are seeing is intended or unitended please review the SONAR logs.

Monitors->Logs->Log Type: SONAR->Set an appropriate Time Range->View Log

Review the details for the detection that occurred to determine if the action taken was appropriate. We saw this a few times during the beta where SONAR was triggering on a DNS change by Svchost.exe. In this case we're doing what has been configured, but you can change the behavior if you decide you do not wish to be warned about this particular detection.

Review your settings for SONAR here once you have checked out the log for the detection:

Policies->Edit Virus and Spyware Protection Policy->Protection Technology: SONAR->System Change Events

Alternatively, I believe you should be able to do an exclusion from the Monitors->Logs->Log Type: SONAR area for this particular item should you wish to leave the System Change Events feature fully enabled.

I hope that this information was helpful and I apologize for any confusion the detection may have caused for you.
 

The Log shows this:

Does this mean that the actual host file is trying to be changed or something else?

It means svchost is trying to touch the host file - this can happen quite regularly on some systems.  Its nothing to be concerned about.  You will normally see this with VPN clients and such like too.

We cannot create exceptions for this component of SONAR yet (thats something we are working on), so you have two options:

1. Enable the feature in log only mode

2. Disable the feature completely

I have changed those to log only in my Antivirus Policy.

Thanks for the help!

I'm having the same issue:

My policy is set to log only (see screen shot from client). Any idea why the alert is still generated?